Skip to navigation

Security Advisory Moderate: spice-server security update

Advisory: RHSA-2013:1192-1
Type: Security Advisory
Severity: Moderate
Issued on: 2013-09-03
Last updated on: 2013-09-03
Affected Products: Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux HPC Node (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server AUS (v. 6.4)
Red Hat Enterprise Linux Server EUS (v. 6.4.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2013-4130

Details

An updated spice-server package that fixes one security issue is now
available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

The Simple Protocol for Independent Computing Environments (SPICE) is a
remote display protocol for virtual environments. SPICE users can access a
virtualized desktop or server from the local system or any system with
network access to the server. SPICE is used in Red Hat Enterprise Linux for
viewing virtualized guests running on the Kernel-based Virtual Machine
(KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors.

A flaw was found in the way concurrent access to the clients ring buffer
was performed in the spice-server library. A remote user able to initiate a
SPICE connection to an application acting as a SPICE server could use this
flaw to crash the application. (CVE-2013-4130)

This issue was discovered by David Gibson of Red Hat.

Users of spice-server are advised to upgrade to this updated package, which
contains a backported patch to correct this issue. Applications acting as a
SPICE server must be restarted for this update to take effect. Note that
QEMU-KVM guests providing SPICE console access must be restarted for this
update to take effect.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
spice-server-0.12.0-12.el6_4.3.src.rpm
File outdated by:  RHBA-2013:1819
    MD5: 5de0c88a46e878acd111f1850eceb9e1
SHA-256: b022f7def74fe58e389c7309ede2a0b47aa69c3824dc74b6ff16ed91ab87ad8a
 
x86_64:
spice-server-0.12.0-12.el6_4.3.x86_64.rpm
File outdated by:  RHBA-2013:1819
    MD5: 771069824f35c4dab1bf4c1604e23e57
SHA-256: c0c27b321768a236a3e63865cc0907bcf603cf15118ff6b977a48a5076a79802
spice-server-debuginfo-0.12.0-12.el6_4.3.x86_64.rpm
File outdated by:  RHBA-2013:1819
    MD5: 5e04c84960175ea55de352bc70084a3a
SHA-256: 53987500be3572f2a7de5936b58756152efc728f2ba10bbe018c47161d833d96
spice-server-devel-0.12.0-12.el6_4.3.x86_64.rpm
File outdated by:  RHBA-2013:1819
    MD5: 5226eaa417c8102705ae1fb0af297762
SHA-256: b6669b8d3cb3d85d0610679f1463bd264d48a52decf68d598c515ba7cdfa4226
 
Red Hat Enterprise Linux HPC Node (v. 6)

SRPMS:
spice-server-0.12.0-12.el6_4.3.src.rpm
File outdated by:  RHBA-2013:1819
    MD5: 5de0c88a46e878acd111f1850eceb9e1
SHA-256: b022f7def74fe58e389c7309ede2a0b47aa69c3824dc74b6ff16ed91ab87ad8a
 
x86_64:
spice-server-0.12.0-12.el6_4.3.x86_64.rpm
File outdated by:  RHBA-2013:1819
    MD5: 771069824f35c4dab1bf4c1604e23e57
SHA-256: c0c27b321768a236a3e63865cc0907bcf603cf15118ff6b977a48a5076a79802
spice-server-debuginfo-0.12.0-12.el6_4.3.x86_64.rpm
File outdated by:  RHBA-2013:1819
    MD5: 5e04c84960175ea55de352bc70084a3a
SHA-256: 53987500be3572f2a7de5936b58756152efc728f2ba10bbe018c47161d833d96
spice-server-devel-0.12.0-12.el6_4.3.x86_64.rpm
File outdated by:  RHBA-2013:1819
    MD5: 5226eaa417c8102705ae1fb0af297762
SHA-256: b6669b8d3cb3d85d0610679f1463bd264d48a52decf68d598c515ba7cdfa4226
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
spice-server-0.12.0-12.el6_4.3.src.rpm
File outdated by:  RHBA-2013:1819
    MD5: 5de0c88a46e878acd111f1850eceb9e1
SHA-256: b022f7def74fe58e389c7309ede2a0b47aa69c3824dc74b6ff16ed91ab87ad8a
 
x86_64:
spice-server-0.12.0-12.el6_4.3.x86_64.rpm
File outdated by:  RHBA-2013:1819
    MD5: 771069824f35c4dab1bf4c1604e23e57
SHA-256: c0c27b321768a236a3e63865cc0907bcf603cf15118ff6b977a48a5076a79802
spice-server-debuginfo-0.12.0-12.el6_4.3.x86_64.rpm
File outdated by:  RHBA-2013:1819
    MD5: 5e04c84960175ea55de352bc70084a3a
SHA-256: 53987500be3572f2a7de5936b58756152efc728f2ba10bbe018c47161d833d96
spice-server-devel-0.12.0-12.el6_4.3.x86_64.rpm
File outdated by:  RHBA-2013:1819
    MD5: 5226eaa417c8102705ae1fb0af297762
SHA-256: b6669b8d3cb3d85d0610679f1463bd264d48a52decf68d598c515ba7cdfa4226
 
Red Hat Enterprise Linux Server AUS (v. 6.4)

SRPMS:
spice-server-0.12.0-12.el6_4.3.src.rpm
File outdated by:  RHBA-2013:1819
    MD5: 5de0c88a46e878acd111f1850eceb9e1
SHA-256: b022f7def74fe58e389c7309ede2a0b47aa69c3824dc74b6ff16ed91ab87ad8a
 
x86_64:
spice-server-0.12.0-12.el6_4.3.x86_64.rpm
File outdated by:  RHSA-2013:1473
    MD5: 771069824f35c4dab1bf4c1604e23e57
SHA-256: c0c27b321768a236a3e63865cc0907bcf603cf15118ff6b977a48a5076a79802
spice-server-debuginfo-0.12.0-12.el6_4.3.x86_64.rpm
File outdated by:  RHSA-2013:1473
    MD5: 5e04c84960175ea55de352bc70084a3a
SHA-256: 53987500be3572f2a7de5936b58756152efc728f2ba10bbe018c47161d833d96
spice-server-devel-0.12.0-12.el6_4.3.x86_64.rpm
File outdated by:  RHSA-2013:1473
    MD5: 5226eaa417c8102705ae1fb0af297762
SHA-256: b6669b8d3cb3d85d0610679f1463bd264d48a52decf68d598c515ba7cdfa4226
 
Red Hat Enterprise Linux Server EUS (v. 6.4.z)

SRPMS:
spice-server-0.12.0-12.el6_4.3.src.rpm
File outdated by:  RHBA-2013:1819
    MD5: 5de0c88a46e878acd111f1850eceb9e1
SHA-256: b022f7def74fe58e389c7309ede2a0b47aa69c3824dc74b6ff16ed91ab87ad8a
 
x86_64:
spice-server-0.12.0-12.el6_4.3.x86_64.rpm
File outdated by:  RHSA-2013:1473
    MD5: 771069824f35c4dab1bf4c1604e23e57
SHA-256: c0c27b321768a236a3e63865cc0907bcf603cf15118ff6b977a48a5076a79802
spice-server-debuginfo-0.12.0-12.el6_4.3.x86_64.rpm
File outdated by:  RHSA-2013:1473
    MD5: 5e04c84960175ea55de352bc70084a3a
SHA-256: 53987500be3572f2a7de5936b58756152efc728f2ba10bbe018c47161d833d96
spice-server-devel-0.12.0-12.el6_4.3.x86_64.rpm
File outdated by:  RHSA-2013:1473
    MD5: 5226eaa417c8102705ae1fb0af297762
SHA-256: b6669b8d3cb3d85d0610679f1463bd264d48a52decf68d598c515ba7cdfa4226
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
spice-server-0.12.0-12.el6_4.3.src.rpm
File outdated by:  RHBA-2013:1819
    MD5: 5de0c88a46e878acd111f1850eceb9e1
SHA-256: b022f7def74fe58e389c7309ede2a0b47aa69c3824dc74b6ff16ed91ab87ad8a
 
x86_64:
spice-server-0.12.0-12.el6_4.3.x86_64.rpm
File outdated by:  RHBA-2013:1819
    MD5: 771069824f35c4dab1bf4c1604e23e57
SHA-256: c0c27b321768a236a3e63865cc0907bcf603cf15118ff6b977a48a5076a79802
spice-server-debuginfo-0.12.0-12.el6_4.3.x86_64.rpm
File outdated by:  RHBA-2013:1819
    MD5: 5e04c84960175ea55de352bc70084a3a
SHA-256: 53987500be3572f2a7de5936b58756152efc728f2ba10bbe018c47161d833d96
spice-server-devel-0.12.0-12.el6_4.3.x86_64.rpm
File outdated by:  RHBA-2013:1819
    MD5: 5226eaa417c8102705ae1fb0af297762
SHA-256: b6669b8d3cb3d85d0610679f1463bd264d48a52decf68d598c515ba7cdfa4226
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

984769 - CVE-2013-4130 spice: unsafe clients ring access abort


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/